Unrated severityNVD Advisory· Published Jul 1, 2022· Updated Aug 3, 2024

CVE-2022-1963

Description

An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.4 before 14.10.5, all versions starting from 15.0 before 15.0.4, all versions starting from 15.1 before 15.1.1. GitLab reveals if a user has enabled two-factor authentication on their account in the HTML source, to unauthenticated users.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

GitLab CE/EE leaks users' two-factor authentication status in HTML source to unauthenticated attackers, affecting versions 13.4 through 15.1.1.

Vulnerability

An information disclosure vulnerability exists in GitLab CE/EE where the two-factor authentication (2FA) status of group and project members is exposed in the HTML source of the members list page. This affects all versions starting from 13.4 before 14.10.5, all versions starting from 15.0 before 15.0.4, and all versions starting from 15.1 before 15.1.1 [1]. The two_factor_enabled field is included in the JSON data embedded in the page, which is accessible to any visitor, including unauthenticated users.

Exploitation

An unauthenticated attacker can exploit this by sending a GET request to the group members page (e.g., https://gitlab.com/groups/<group_name>/-/group_members). The response contains a ` element with class js-group-members-list-app that holds a JSON object in the data-members-data attribute. Parsing this JSON reveals each member's two_factor_enabled` boolean field [1]. No authentication or special privileges are required; the attacker only needs to know the group's URL.

Impact

Successful exploitation allows an attacker to determine whether any user in a public group or project has enabled 2FA. This information is considered confidential and should only be visible to group owners and maintainers. Knowledge of 2FA status can be used to target users who do not have 2FA enabled, potentially facilitating account compromise via phishing or credential stuffing attacks.

Mitigation

GitLab has addressed this issue in versions 14.10.5, 15.0.4, and 15.1.1 [1]. Users should upgrade to one of these fixed versions or later. No workaround is available for affected versions. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.

References

2FA status of the members of groups/projects are leaked through the source code (#352210) · Issues · GitLab.org / GitLab · GitLab

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

GitLab Inc./CE/EEllm-fuzzy
Range: >=13.4 <14.10.5, >=15.0 <15.0.4, >=15.1 <15.1.1
osv-coords
pkg:bitnami/gitlab
Range: >= 13.4.0, < 14.10.5
GitLab Inc./GitLabv5
Range: >=13.4, <14.10.5

Patches

No patches discovered yet.

Vulnerability mechanics

Root cause

"The server-rendered JSON payload in the Group Members page includes the `two_factor_enabled` field for all members regardless of the requesting user's permissions."

Attack vector

An unauthenticated attacker can visit any public group's members page (e.g., `https://gitlab.com/groups/{group_name}/-/group_members`) and inspect the server-provided HTML source [ref_id=1]. The response contains a JSON-encoded `data-members-data` attribute that exposes the `two_factor_enabled` boolean for each member [ref_id=1]. No authentication or special privileges are required; the attacker simply parses the HTML with a tool like BeautifulSoup or views the raw response in browser developer tools [ref_id=1].

Affected code

The vulnerability exists in the Group Members page. The server-rendered HTML includes a `div` with class `js-group-members-list-app` whose `data-members-data` attribute contains a JSON payload that includes the `two_factor_enabled` field for every member [ref_id=1]. This data is returned to all users, including unauthenticated visitors, even though the UI badge indicating 2FA status is only shown to owners/maintainers [ref_id=1].

What the fix does

The advisory does not include a published patch diff, but the issue was addressed in GitLab versions 14.10.5, 15.0.4, and 15.1.1 [ref_id=1]. The fix likely removes the `two_factor_enabled` field from the server-rendered JSON payload for users who lack the required permissions (owners/maintainers), so that the 2FA status is no longer leaked in the HTML source to unauthorized viewers [ref_id=1].

Preconditions

networkThe target group or project must be publicly accessible (or the attacker must be a member of a private group).
authNo authentication required; the attacker can be unauthenticated for public groups.

Reproduction

1. As a logged-out user, open any public group's Members page (e.g., `https://gitlab.com/groups/{group_name}/-/group_members`). 2. View the server-provided HTML source (not the browser-rendered DOM). 3. Locate the `div` with class `js-group-members-list-app` and parse its `data-members-data` attribute. 4. The JSON payload contains a `two_factor_enabled` boolean for each member, disclosing their 2FA status [ref_id=1].

Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-1963.jsonmitrex_refsource_CONFIRM
gitlab.com/gitlab-org/gitlab/-/issues/352210mitrex_refsource_MISC
hackerone.com/reports/1470023mitrex_refsource_MISC

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000